Ethical Hacking News
Russian hackers have been aggressively targeting individuals and organizations with ties to Ukraine and human rights, aiming to gain unauthorized access to Microsoft 365 accounts using a sophisticated social engineering operation that leverages legitimate Microsoft OAuth workflows. To protect yourself from this type of attack, learn more about how to defend against social engineering operations and stay up-to-date on the latest cybersecurity threats.
Russian hackers have been targeting individuals and organizations with ties to Ukraine and human rights, aiming to gain unauthorized access to Microsoft 365 accounts.The attack uses social engineering tactics, relying on one-on-one interaction with the target to trick them into clicking a link and sending back a Microsoft-generated code.Threat actors impersonate European officials to gain victims' trust and obtain a Microsoft-generated OAuth code.The attackers use legitimate Microsoft OAuth workflows to gain access to M365 accounts, highlighting the sophistication of their tactics.Organizations with ties to Ukraine and human rights are advised to take immediate action to protect themselves from similar attacks.Individuals can reduce their risk of falling victim by securing their accounts, educating themselves about risks associated with unsolicited contacts, and understanding OAuth 2.0 Authentication workflows.
Russian hackers have been aggressively targeting individuals and organizations with ties to Ukraine and human rights, aiming to gain unauthorized access to Microsoft 365 accounts since early March 2025. This highly targeted social engineering operation is a significant shift from previously documented attacks that leveraged a technique known as device code phishing.
The attack relies heavily on one-on-one interaction with the target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code. Security researchers have identified at least two different threat clusters tracked as UTA0352 and UTA0355, although the possibility that they could also be related to APT29, UTA0304, and UTA0307 hasn't been ruled out.
The latest set of attacks is characterized by the use of a new technique that's aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The threat actors impersonate officials from various European nations and have been found to take advantage of a compromised Ukrainian Government account at least in one case to trick victims into providing a Microsoft-generated OAuth code.
The attackers contact their targets via messaging apps such as Signal and WhatsApp, inviting them to join a video call or register for private meetings with various national European political officials or for upcoming events centered around Ukraine. These efforts seek to dupe victims into clicking links hosted on Microsoft 365 infrastructure.
If the target responded to messages, the conversation would quickly progress towards actually scheduling an agreed-upon time for the meeting. As the agreed meeting time approached, the purported European political official would make contact again and share instructions on how to join the meeting.
The attackers use this tactic to trick their victims into providing a Microsoft-generated OAuth code, which would then be used to generate an access token that ultimately allows access to the victim's M365 account. This attack is a significant concern for organizations with ties to Ukraine and human rights, as well as for anyone who uses Microsoft 365.
The fact that these attacks are using legitimate Microsoft OAuth workflows to gain unauthorized access highlights the sophistication of the threat actors' tactics, and underscores the importance of vigilance in defending against social engineering operations. It also serves as a reminder that even seemingly innocuous interactions can be used to compromise an individual's security.
In light of this attack, organizations with ties to Ukraine and human rights are advised to take immediate action to protect themselves from similar attacks in the future. This includes auditing newly registered devices, educating users about the risks associated with unsolicited contacts on messaging platforms, and implementing conditional access policies that restrict access to organizational resources to only approved or managed devices.
The use of Microsoft 365 infrastructure by these attackers also highlights the importance of security best practices when it comes to authentication and authorization. By understanding how OAuth 2.0 Authentication workflows work, individuals can better protect themselves against similar attacks in the future.
In conclusion, the Russian hackers' exploitation of Microsoft OAuth to target Ukraine allies via Signal and WhatsApp is a sophisticated social engineering operation that highlights the importance of vigilance in defending against such threats. By taking proactive steps to secure their accounts and educate themselves about the risks associated with unsolicited contacts on messaging platforms, individuals can significantly reduce their risk of falling victim to similar attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Exploit-Microsoft-OAuth-to-Target-Ukraine-Allies-via-Signal-and-WhatsApp-A-Sophisticated-Social-Engineering-Operation-ehn.shtml
https://thehackernews.com/2025/04/russian-hackers-exploit-microsoft-oauth.html
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/
Published: Wed Apr 23 10:58:09 2025 by llama3.2 3B Q4_K_M
